Hmily 发表于 2012-3-6 10:58

Oreans UnVirtualizer ODBG Plug-in v1.4 (WL/TMD/CV)

From:exetools


- Fixed Cisc - CALL
- Fixed Cisc - SHL REG32, IMMC
- Fixed an issue with odbg when using context menu
- Added TAB key on windows
- Added autofill on FindReferences window
- Risc-64 machine function
- Added OreansAssember_Risc.cfg
Well, it was a long journey to deal with Risc, but i'ts almost finished, hope you like it

Some info about RISC machines
- It's still on debug mode, so it may take long time for deofuscate it
- 128 variant is not avaible, it could fail on that machine
- The example provided was modified in order to show how to deal when deofuscation fails
- In case of failure, two errors may popup (1) About Follow jump, this has a trail-error solution:
press reload and then the other option, (2) about could not find XXXX handler,
in this case the left list control show the current vm entry, and the right one the 'ideal handler',
on 80% of cases, the red instruction is the problem, the yellow part shows the handler that could
not be identified, press delete after selecting the 'wrong instruction' on the left panel (could be more than one)
- The example was compiled with full protection 64variant
- Can't read some opcodes like movzx, xchg, movsx, muls, div, etc


Deathway.
Example link: http://www.sendspace.com/file/fa45ny

PD: Example solution
Put a HWBP on execution at 00401058 and press F9 (could be on normal olly, doesn't have debug detection)
Click on 00401058 and press Alt - I
First error: press 'No'
Second error: On left panel select 00D5DFE4 and press delete
Third error: On left panel select 00D781CC and press delete then select 00D781CE and press delete

On the next popup window insert 005FC4DC and press enter

消逝 发表于 2012-3-6 11:05

大H的沙发,还是第一次啊,向大H学习了。

mycc 发表于 2012-3-6 11:25

这个东东很有趣,值得收藏

xiaoheicool 发表于 2012-3-6 11:32

继续来看看这哥东西是什么,来观摩一下

Smallhorse 发表于 2012-3-6 12:12

顶H大,好东西!----有一点不明白!老是弄E文,象我们这种E文盲是没辙了,粗糙的翻译了一下,给想我一样的菜鸟看的,不喜勿喷!!
---------------------------------------------------------------------------------------------
[v1.4)
固定Cisc - CALL - - - - - -[REG32 + IMMC)
- - - - - - - - - - - - REG32固定Cisc SHL、IMMC
修正了一个问题——odbg当使用上下文菜单
TAB键可以-增加了窗户
autofill -增加了在FindReferences窗口
Risc - 64机功能- - - - - -
OreansAssember_Risc.cfg -增加了
嗯,这是一段漫长的旅程来对付Risc,但我part快好了,希望你喜欢它
一些信息的RISC机器
——它仍然在调试模式,因此它会为deofuscate花费很长时间
不是我方- 128变种,那台机器上也可能失败
这个例子提供的是修改——为了展示如何处理当deofuscation失败了
——真的失败了,两个错误可能弹出(1)有关跟着跳,这有trail-error解决:
按装,然后另一选项;(2)对找不到XXXX处理器,
在这种情况下左边的列表控件显示当前的vm进入和正确的一个“理想处理器”,
在80%的情况下,红指导这一问题,黄色部分处理器,可以显示
不能确定,后按“删除选择的错指令'左侧面板(可多于一项)
-这个例子充分保护编撰了64的变量
-不能读一些像movzx操作码,xchg,movsx,muls,师等
Deathway。
例如链接:http://www.sendspace.com/file/fa45ny
PD例解
把一HWBP执行00401058,并按F9(可在普通欧利,没有调试检测)
点击并按Alt - 00401058
第一个错误:按“否”
第二个错误:左面板选择00 D5DFE4,按下删除
第三个错误:左面板选择00 D781CC,按下删除然后选择00 D781CE,按下删除
在下一个弹出窗口插入005 FC4DC然后按回车键

mycc 发表于 2012-3-6 17:17

Smallhorse 发表于 2012-3-6 12:12 static/image/common/back.gif
顶H大,好东西!----有一点不明白!老是弄E文,象我们这种E文盲是没辙了,粗糙的翻译了一下,给想我一样的菜 ...

这个东西是老外弄的,E 文很不正常吗 ?

Smallhorse 发表于 2012-3-6 19:02

mycc 发表于 2012-3-6 17:17 static/image/common/back.gif
这个东西是老外弄的,E 文很不正常吗 ?

楼上的别鸡冻!不是不正常!老外的东西!翻译过来更容易明白些呀!有错吗?

wanwanle 发表于 2012-6-9 15:14

支持汉化一下中文就是好看懂

rgbwcwmtd 发表于 2014-11-15 19:08

不知道是干什么用的
页: [1]
查看完整版本: Oreans UnVirtualizer ODBG Plug-in v1.4 (WL/TMD/CV)